exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

ms-sqlbi.txt

ms-sqlbi.txt
Posted Jul 12, 2002
Authored by Mark Litchfield | Site ngssoftware.com

NGSSoftware Security Advisory - Microsoft's SQL Server 2000's BULK INSERT query contains a buffer overflow which allows remote code execution as LOCAL SYSTEM. To be able to use the 'BULK INSERT' query one must have the privileges of the database owner or dbo. Microsoft Security bulletin available here..

tags | remote, overflow, local, code execution, sql injection
SHA-256 | beed091eb087b240ade24c710d5e6642ca80b3f180a2cb4baf37c543862b35d4

ms-sqlbi.txt

Change Mirror Download
NGSSoftware Insight Security Research Advisory

Name: BULK INSERT Buffer Overflow
Systems Affected: Microsoft SQL Server 2000
Severity: Medium
Category: Buffer Overrun
Vendor URL: http://www.microsoft.com/
Authors: Mark Litchfield (mark@ngssoftware.com)
Advisory URL: http://www.ngssoftware.com/advisories/ms-sqlbi.txt
Date: 11th July 2002
Advisory number: #NISR11072002
VNA Reference: http://www.nextgenss.com/vna/ms-sql.txt

[Please note that this advisory relates to one of the issues discussed in
the SQL Server VNA. There are still more to be fixed.]


Description
***********
Microsoft's SQL Server 2000 contains functionality that allows a database
owner to populate a table with data with one fell swoop using the 'BULK
INSERT' query. This functionality contains a remotely exploitable buffer
overrun vulnerability that can be exploited by an attacker to run arbitrary
code.


Details
*******
The 'BULK INSERT' query will take a user supplied file name and insert the
contents of this file into a specified table. By supplying an overly long
filename to the query, a buffer is overflowed and the saved return address
stored on the stack is overwritten. This allows the attacker to gain control
over the process'
execution. SQL Server 2000 can be run in the security context of a domain
account or LOCAL SYSTEM, so depending upon the particular setup, an attacker
may be able to gain complete control over the vulnerable system.

To be able to use the 'BULK INSERT' query one must have the privileges of
the database owner or dbo. Note this does not necessarily imply 'sa'
equivalence.

Another point to note is that whilst this overflow is 'UNICODE' in nature by
supplying code as a UNICODE string exploitation is made easier.

Fix Information
***************
NGSSoftware alerted Microsoft to this problem on the 28th May 2002.
Microsoft have created a patch.

Please see their bulletin for more details:

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
bulletin/MS02-034.asp

Whilst NGSSoftware rate this as a medium risk issue, we still urge customers
to apply the patch as soon as is possible as it contains fixes for other
issues such as a buffer overflow in the pwdencrypt() function.

Further Information
*******************

For further information about the scope and effects of buffer overflows,
please see

http://www.ngssoftware.com/papers/non-stack-bo-windows.pdf
http://www.ngssoftware.com/papers/ntbufferoverflow.html
http://www.ngssoftware.com/papers/bufferoverflowpaper.rtf
http://www.ngssoftware.com/papers/unicodebo.pdf






Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close